Prerequisites
-------------
1. Your server runs at least RHEL 6 or RHEL 7.
FYI, RHEL5 is EOL Version.
2. The main dependency for installing the ELK stack is Java.
java
----------
[root@sankar-devops-master sankar_elk]# ls -ltrh
total 181M
drwxr-xr-x 8 uucp 143 4.0K Dec 19 16:24 jdk1.8.0_161
-rw-r--r-- 1 root root 181M Dec 20 11:10 jdk-8u161-linux-x64.tar.gz
Java 8 with Alternatives
[root@sankar-devops-master sankar_elk]# cd jdk1.8.0_161/
[root@sankar-devops-master jdk1.8.0_161]#
[root@sankar-devops-master jdk1.8.0_161]# ls -ltrh
total 26M
-rw-r--r-- 1 uucp 143 63K Dec 19 10:56 THIRDPARTYLICENSEREADME-JAVAFX.txt
-rw-r--r-- 1 uucp 143 5.0M Dec 19 10:56 javafx-src.zip
-r--r--r-- 1 uucp 143 142K Dec 19 16:21 THIRDPARTYLICENSEREADME.txt
-r--r--r-- 1 uucp 143 159 Dec 19 16:21 README.html
-r--r--r-- 1 uucp 143 40 Dec 19 16:21 LICENSE
drwxr-xr-x 3 uucp 143 4.0K Dec 19 16:21 include
drwxr-xr-x 4 uucp 143 4.0K Dec 19 16:21 db
-r--r--r-- 1 uucp 143 3.2K Dec 19 16:21 COPYRIGHT
-rw-r--r-- 1 uucp 143 21M Dec 19 16:21 src.zip
-rw-r--r-- 1 uucp 143 424 Dec 19 16:21 release
drwxr-xr-x 4 uucp 143 4.0K Dec 19 16:21 man
drwxr-xr-x 5 uucp 143 4.0K Dec 19 16:21 jre
drwxr-xr-x 5 uucp 143 4.0K Dec 19 16:21 lib
drwxr-xr-x 2 uucp 143 4.0K Dec 19 16:21 bin
[root@sankar-devops-master jdk1.8.0_161]# alternatives --install /usr/bin/java java /opt/sankar_elk/jdk1.8.0_161/bin/java 2
[root@sankar-devops-master jdk1.8.0_161]# alternatives --config java
There are 3 programs which provide 'java'.
Selection Command
-----------------------------------------------
* 1 /usr/lib/jvm/jre-1.7.0-openjdk.x86_64/bin/java
+ 2 /opt/jdk1.8.0_161/bin/java
3 /opt/sankar_elk/jdk1.8.0_161/bin/java
Enter to keep the current selection[+], or type selection number: 3
[root@sankar-devops-master jdk1.8.0_161]#
[root@sankar-devops-master jdk1.8.0_161]#
[root@sankar-devops-master jdk1.8.0_161]# alternatives --install /usr/bin/jar jar /opt/sankar_elk/jdk1.8.0_161/bin/jar 2
[root@sankar-devops-master jdk1.8.0_161]# alternatives --install /usr/bin/javac javac /opt/sankar_elk/jdk1.8.0_161/bin/javac 2
[root@sankar-devops-master jdk1.8.0_161]# alternatives --set jar /opt/sankar_elk/jdk1.8.0_161/bin/jar
[root@sankar-devops-master jdk1.8.0_161]# alternatives --set javac /opt/sankar_elk/jdk1.8.0_161/bin/javac
[root@sankar-devops-master jdk1.8.0_161]#
Java Version
[root@sankar-devops-master jdk1.8.0_161]# java -version
java version "1.8.0_161"
Java(TM) SE Runtime Environment (build 1.8.0_161-b12)
Java HotSpot(TM) 64-Bit Server VM (build 25.161-b12, mixed mode)
Environment Variables
[root@sankar-devops-master jdk1.8.0_161]# export JAVA_HOME=/opt/sankar_elk/jdk1.8.0_161
[root@sankar-devops-master jdk1.8.0_161]# export JRE_HOME=/opt/sankar_elk/jdk1.8.0_161/jre
[root@sankar-devops-master jdk1.8.0_161]# export PATH=$PATH:/opt/sankar_elk/jdk1.8.0_161/bin:/opt/sankar_elk/jdk1.8.0_161/jre/bin
[root@sankar-devops-master jdk1.8.0_161]#
[root@sankar-devops-master jdk1.8.0_161]#
[root@sankar-devops-master jdk1.8.0_161]#
[root@sankar-devops-master ~]# rpm --import http://packages.elastic.co/GPG-KEY-elasticsearch
[root@sankar-devops-master ~]# echo $?
0
[root@sankar-devops-master ~]# vi /etc/yum.repos.d/elasticsearch.repo
[elasticsearch]
name=Elasticsearch repository
baseurl=http://packages.elastic.co/elasticsearch/2.x/centos
gpgcheck=1
gpgkey=http://packages.elastic.co/GPG-KEY-elasticsearch
enabled=1
~
~
[root@sankar-devops-master ~]# yum install elasticsearch
Loaded plugins: security
Setting up Install Process
elasticsearch | 2.9 kB 00:00
elasticsearch/primary_db | 9.3 kB 00:00
Resolving Dependencies
--> Running transaction check
---> Package elasticsearch.noarch 0:2.4.6-1 will be installed
--> Finished Dependency Resolution
Dependencies Resolved
======================================================================================================================================
Package Arch Version Repository Size
======================================================================================================================================
Installing:
elasticsearch noarch 2.4.6-1 elasticsearch 26 M
Transaction Summary
======================================================================================================================================
Install 1 Package(s)
Total download size: 26 M
Installed size: 29 M
Is this ok [y/N]: y
Downloading Packages:
elasticsearch-2.4.6.rpm | 26 MB 00:13
Running rpm_check_debug
Running Transaction Test
Transaction Test Succeeded
Running Transaction
Creating elasticsearch group... OK
Creating elasticsearch user... OK
Installing : elasticsearch-2.4.6-1.noarch 1/1
### NOT starting on installation, please execute the following statements to configure elasticsearch service to start automatically using chkconfig
sudo chkconfig --add elasticsearch
### You can start elasticsearch service by executing
sudo service elasticsearch start
Verifying : elasticsearch-2.4.6-1.noarch 1/1
Installed:
elasticsearch.noarch 0:2.4.6-1
Complete!
[root@sankar-devops-master ~]# service elasticsearch status
elasticsearch (pid 2197) is running...
[root@sankar-devops-master ~]# netstat -ntlup |grep 9200
tcp 0 0 ::ffff:127.0.0.1:9200 :::* LISTEN 2197/java
tcp 0 0 ::1:9200 :::* LISTEN 2197/java
[root@sankar-devops-master ~]# curl -X GET http://localhost:9200
{
"name" : "Binary",
"cluster_name" : "elasticsearch",
"cluster_uuid" : "DVTJzhLpQ4mzNEBO3ZzgVg",
"version" : {
"number" : "2.4.6",
"build_hash" : "5376dca9f70f3abef96a77f4bb22720ace8240fd",
"build_timestamp" : "2017-07-18T12:17:44Z",
"build_snapshot" : false,
"lucene_version" : "5.5.4"
},
"tagline" : "You Know, for Search"
}
[root@sankar-devops-master ~]#
Enable Logstash Repository
[root@sankar-devops-master ~]# vi /etc/yum.repos.d/logstash.repo
[logstash]
name=Logstash
baseurl=http://packages.elasticsearch.org/logstash/2.2/centos
gpgcheck=1
gpgkey=http://packages.elasticsearch.org/GPG-KEY-elasticsearch
enabled=1
~
[root@sankar-devops-master ~]# yum install logstash
Loaded plugins: security
Setting up Install Process
logstash | 951 B 00:00
logstash/primary | 2.6 kB 00:00
logstash 5/5
Resolving Dependencies
--> Running transaction check
---> Package logstash.noarch 1:2.2.4-1 will be installed
--> Finished Dependency Resolution
Dependencies Resolved
======================================================================================================================================
Package Arch Version Repository Size
======================================================================================================================================
Installing:
logstash noarch 1:2.2.4-1 logstash 73 M
Transaction Summary
======================================================================================================================================
Install 1 Package(s)
Total download size: 73 M
Installed size: 127 M
Is this ok [y/N]: y
Downloading Packages:
logstash-2.2.4-1.noarch.rpm | 73 MB 00:23
Running rpm_check_debug
Running Transaction Test
Transaction Test Succeeded
Running Transaction
Installing : 1:logstash-2.2.4-1.noarch 1/1
Verifying : 1:logstash-2.2.4-1.noarch 1/1
Installed:
logstash.noarch 1:2.2.4-1
Complete!
[root@sankar-devops-master ~]# vi /etc/pki/tls/openssl.cnf
226 [ v3_ca ]
227
228 subjectAltName = IP: 66.161.124.110
[root@sankar-devops-master ~]# cd /etc/pki/tls/
[root@sankar-devops-master tls]# ls -ltrh
total 24K
drwxr-xr-x. 2 root root 4.0K May 2 2016 private
drwxr-xr-x. 2 root root 4.0K May 10 2016 misc
lrwxrwxrwx 1 root root 19 Jun 1 2017 cert.pem -> certs/ca-bundle.crt
drwxr-xr-x. 2 root root 4.0K Jun 1 2017 certs
-rw-r--r-- 1 root root 11K Apr 17 11:15 openssl.cnf
[root@sankar-devops-master tls]#
[root@sankar-devops-master tls]# openssl req -config /etc/pki/tls/openssl.cnf -x509 -days 3650 -batch -nodes -newkey rsa:2048 -keyout private/logstash-forwarder.key -out certs/logstash-forwarder.crt
Generating a 2048 bit RSA private key
........+++
................................................................................+++
writing new private key to 'private/logstash-forwarder.key'
-----
[root@sankar-devops-master tls]#
[root@sankar-devops-master tls]# cd /etc/logstash/conf.d/
[root@sankar-devops-master conf.d]#
[root@sankar-devops-master conf.d]# ls -ltrh
total 0
[root@sankar-devops-master conf.d]# vi input.conf
input {
beats {
port => 5044
ssl => true
ssl_certificate => "/etc/pki/tls/certs/logstash-forwarder.crt"
ssl_key => "/etc/pki/tls/private/logstash-forwarder.key"
}
}
~
[root@sankar-devops-master conf.d]# ls -ld /etc/pki/tls/certs/logstash-forwarder.crt
-rw-r--r-- 1 root root 1241 Apr 17 11:17 /etc/pki/tls/certs/logstash-forwarder.crt
[root@sankar-devops-master conf.d]# ls -dl /etc/pki/tls/private/logstash-forwarder.key
-rw-r--r-- 1 root root 1704 Apr 17 11:17 /etc/pki/tls/private/logstash-forwarder.key
[root@sankar-devops-master conf.d]# vi /etc/logstash/conf.d/output.conf
output {
elasticsearch {
hosts => ["localhost:9200"]
sniffing => true
manage_template => false
index => "%{[@metadata][beat]}-%{+YYYY.MM.dd}"
document_type => "%{[@metadata][type]}"
}
}
[root@sankar-devops-master conf.d]# vi /etc/logstash/conf.d/filter.conf
filter {
if [type] == "syslog" {
grok {
match => { "message" => "%{SYSLOGLINE}" }
}
date {
match => [ "timestamp", "MMM d HH:mm:ss", "MMM dd HH:mm:ss" ]
}
}
}
[root@sankar-devops-master conf.d]# service logstash configtest
Configuration OK
[root@sankar-devops-master conf.d]#
[root@sankar-devops-master conf.d]# service logstash status
logstash is not running
[root@sankar-devops-master conf.d]# service logstash start
logstash started.
[root@sankar-devops-master conf.d]# service logstash status
logstash is running
[root@sankar-devops-master conf.d]#
[root@sankar-devops-master conf.d]# netstat -ntlup|grep 5044
tcp 0 0 :::5044 :::* LISTEN 12621/java
[root@sankar-devops-master conf.d]#
Enable Kibana Repository
[root@sankar-devops-master conf.d]# vi /etc/yum.repos.d/kibana.repo
[kibana]
name=Kibana repository
baseurl=http://packages.elastic.co/kibana/4.4/centos
gpgcheck=1
gpgkey=http://packages.elastic.co/GPG-KEY-elasticsearch
enabled=1
~
~
[root@sankar-devops-master conf.d]# yum install kibana
Loaded plugins: security
Setting up Install Process
kibana | 2.9 kB 00:00
kibana/primary_db | 18 kB 00:00
Resolving Dependencies
--> Running transaction check
---> Package kibana.x86_64 0:4.4.2-1 will be installed
--> Finished Dependency Resolution
Dependencies Resolved
======================================================================================================================================
Package Arch Version Repository Size
======================================================================================================================================
Installing:
kibana x86_64 4.4.2-1 kibana 32 M
Transaction Summary
======================================================================================================================================
Install 1 Package(s)
Total download size: 32 M
Installed size: 32 M
Is this ok [y/N]: y
Downloading Packages:
kibana-4.4.2-1.x86_64.rpm | 32 MB 00:09
Running rpm_check_debug
Running Transaction Test
Transaction Test Succeeded
Running Transaction
Installing : kibana-4.4.2-1.x86_64 1/1
Verifying : kibana-4.4.2-1.x86_64 1/1
Installed:
kibana.x86_64 0:4.4.2-1
Complete!
[root@sankar-devops-master conf.d]#
[root@sankar-devops-master conf.d]# service kibana status
kibana is not running
[root@sankar-devops-master conf.d]# service kibana start
kibana started
[root@sankar-devops-master conf.d]# service kibana status
kibana is running
[root@sankar-devops-master conf.d]
[root@sankar-devops-master conf.d]# netstat -antlup |grep 5601
tcp 0 0 0.0.0.0:5601 0.0.0.0:* LISTEN 13363/node
[root@sankar-devops-master conf.d]#
the clinet end configs
scp ssl cert from server to client
# scp /etc/pki/tls/certs/logstash-forwarder.crt root@192.168.0.100:/etc/pki/tls/certs/
[root@AT-CM-TORBERT skodipilla]# cp logstash-forwarder.crt /etc/pki/tls/certs/
[root@AT-CM-TORBERT skodipilla]# cd /etc/pki/tls/certs
[root@AT-CM-TORBERT certs]# ls -ltrh
total 956K
-rw-r--r-- 1 root root 458K May 15 2012 ca-bundle.crt
-rw-r--r-- 1 root root 2.3K May 15 2012 Makefile
-rwxr-xr-x 1 root root 610 May 15 2012 make-dummy-cert
-rw-r--r-- 1 root root 458K May 15 2012 ca-bundle.crt.rpmnew
-rw-r--r-- 1 root root 1.3K Apr 17 11:47 logstash-forwarder.crt
[root@AT-CM-TORBERT certs]# r
[root@AT-CM-TORBERT certs]# vi /etc/yum.repos.d/filebeat.repo
[filebeat]
name=Filebeat for ELK clients
baseurl=https://packages.elastic.co/beats/yum/el/$basearch
enabled=1
gpgkey=https://packages.elastic.co/GPG-KEY-elasticsearch
gpgcheck=1
~
~
[root@sankar-devops-clinet skodipilla]# yum install filebeat
Loaded plugins: langpacks
filebeat | 2.9 kB 00:00:00
mongodb-org-3.2 | 2.5 kB 00:00:00
ol7_UEKR4 | 1.2 kB 00:00:00
ol7_latest | 1.4 kB 00:00:00
percona-release-noarch | 2.9 kB 00:00:00
percona-release-x86_64 | 2.9 kB 00:00:00
puppetlabs-pc1 | 2.5 kB 00:00:00
(1/3): puppetlabs-pc1/x86_64/primary_db | 146 kB 00:00:03
(2/3): filebeat/x86_64/primary_db | 13 kB 00:00:03
(3/3): percona-release-x86_64/7Server/x86_64/primary_db | 738 kB 00:00:04
(1/4): ol7_UEKR4/x86_64/updateinfo | 172 kB 00:00:03
(2/4): ol7_latest/x86_64/updateinfo | 1.7 MB 00:00:03
(3/4): ol7_UEKR4/x86_64/primary | 32 MB 00:00:05
(4/4): ol7_latest/x86_64/primary | 34 MB 00:00:07
ol7_UEKR4 611/611
ol7_latest 26500/26500
Resolving Dependencies
--> Running transaction check
---> Package filebeat.x86_64 0:1.3.1-1 will be installed
--> Finished Dependency Resolution
Dependencies Resolved
======================================================================================================================================
Package Arch Version Repository Size
======================================================================================================================================
Installing:
filebeat x86_64 1.3.1-1 filebeat 4.0 M
Transaction Summary
======================================================================================================================================
Install 1 Package
Total download size: 4.0 M
Installed size: 4.0 M
Is this ok [y/d/N]: y
Downloading packages:
warning: /var/cache/yum/x86_64/7Server/filebeat/packages/filebeat-1.3.1-x86_64.rpm: Header V4 RSA/SHA1 Signature, key ID d88e42b4: NOKEY
Public key for filebeat-1.3.1-x86_64.rpm is not installed
filebeat-1.3.1-x86_64.rpm | 4.0 MB 00:00:10
Retrieving key from https://packages.elastic.co/GPG-KEY-elasticsearch
Importing GPG key 0xD88E42B4:
Userid : "Elasticsearch (Elasticsearch Signing Key) <dev_ops@elasticsearch.org>"
Fingerprint: 4609 5acc 8548 582c 1a26 99a9 d27d 666c d88e 42b4
From : https://packages.elastic.co/GPG-KEY-elasticsearch
Is this ok [y/N]: y
Running transaction check
Running transaction test
Transaction test succeeded
Running transaction
Installing : filebeat-1.3.1-1.x86_64 1/1
Verifying : filebeat-1.3.1-1.x86_64 1/1
Installed:
filebeat.x86_64 0:1.3.1-1
Complete!
[root@sankar-devops-clinet skodipilla]#
[root@sankar-devops-clinet skodipilla]# systemctl status filebeat
â— filebeat.service - filebeat
Loaded: loaded (/usr/lib/systemd/system/filebeat.service; disabled; vendor preset: disabled)
Active: inactive (dead)
Docs: https://www.elastic.co/guide/en/beats/filebeat/current/index.html
[root@sankar-devops-clinet skodipilla]# systemctl start filebeat
[root@sankar-devops-clinet skodipilla]# systemctl status filebeat
â— filebeat.service - filebeat
Loaded: loaded (/usr/lib/systemd/system/filebeat.service; disabled; vendor preset: disabled)
Active: active (running) since Tue 2018-04-17 12:06:54 PDT; 2s ago
Docs: https://www.elastic.co/guide/en/beats/filebeat/current/index.html
Main PID: 27823 (filebeat)
CGroup: /system.slice/filebeat.service
└─27823 /usr/bin/filebeat -c /etc/filebeat/filebeat.yml
Apr 17 12:06:54 sankar-devops-clinet systemd[1]: Started filebeat.
Apr 17 12:06:54 sankar-devops-clinet systemd[1]: Starting filebeat...
[root@sankar-devops-clinet skodipilla]# /etc/filebeat/filebeat.yml
input_type: log
document_type: syslog
### Logstash as output
logstash:
# The Logstash hosts
hosts: ["66.161.124.110:5044"]
# Optional TLS. By default is off.
tls:
# List of root certificates for HTTPS server verifications
certificate_authorities: ["/etc/pki/tls/certs/logstash-forwarder.crt"]
[root@sankar-devops-clinet filebeat]# systemctl restart filebeat
[root@sankar-devops-clinet filebeat]# systemctl status filebeat
â— filebeat.service - filebeat
Loaded: loaded (/usr/lib/systemd/system/filebeat.service; disabled; vendor preset: disabled)
Active: active (running) since Tue 2018-04-17 12:18:37 PDT; 9s ago
Docs: https://www.elastic.co/guide/en/beats/filebeat/current/index.html
Main PID: 28103 (filebeat)
CGroup: /system.slice/filebeat.service
└─28103 /usr/bin/filebeat -c /etc/filebeat/filebeat.yml
Apr 17 12:18:37 sankar-devops-clinet systemd[1]: Started filebeat.
Apr 17 12:18:37 sankar-devops-clinet systemd[1]: Starting filebeat...
[root@sankar-devops-clinet filebeat]#
[root@sankar-devops-master ~]# curl -XGET 'http://localhost:9200/filebeat-*/_search?pretty'
{
"took" : 7,
"timed_out" : false,
"_shards" : {
"total" : 5,
"successful" : 5,
"failed" : 0
},
"hits" : {
"total" : 2048,
"max_score" : 1.0,
"hits" : [ {
"_index" : "filebeat-2018.04.17",
"_type" : "syslog",
"_id" : "AWLVC2qGuLkPPANBmixs",
"_score" : 1.0,
"_source" : {
"message" : "2017/04/25 05:36:17 http: TLS handshake error from 192.168.1.10:43626: EOF",
"@version" : "1",
"@timestamp" : "2018-04-17T19:18:37.361Z",
"type" : "syslog",
"input_type" : "log",
"fields" : null,
"source" : "/var/log/pmm-mongodb-metrics-42003.log",
"offset" : 8625,
"count" : 1,
"beat" : {
"hostname" : "sankar-devops-clinet",
"name" : "sankar-devops-clinet"
},
"host" : "sankar-devops-clinet",
"tags" : [ "beats_input_codec_plain_applied", "_grokparsefailure" ]
}
}, {
"_index" : "filebeat-2018.04.17",
"_type" : "syslog",
"_id" : "AWLVC2qGuLkPPANBmixu",
"_score" : 1.0,
"_source" : {
"message" : "2017/04/25 05:42:33 http: TLS handshake error from 192.168.1.10:39822: EOF",
"@version" : "1",
"@timestamp" : "2018-04-17T19:18:37.361Z",
"type" : "syslog",
"input_type" : "log",
"fields" : null,
"beat" : {
"hostname" : "sankar-devops-clinet",
"name" : "sankar-devops-clinet"
},
"source" : "/var/log/pmm-mongodb-metrics-42003.log",
"offset" : 8777,
"count" : 1,
"host" : "sankar-devops-clinet",
"tags" : [ "beats_input_codec_plain_applied", "_grokparsefailure" ]
}
}, {
"_index" : "filebeat-2018.04.17",
"_type" : "syslog",
"_id" : "AWLVC2qGuLkPPANBmix1",
"_score" : 1.0,
"_source" : {
"message" : "2017/04/25 07:07:37 http: TLS handshake error from 192.168.1.10:35232: EOF",
"@version" : "1",
"@timestamp" : "2018-04-17T19:18:37.361Z",
"type" : "syslog",
"input_type" : "log",
"count" : 1,
"offset" : 9309,
"source" : "/var/log/pmm-mongodb-metrics-42003.log",
"fields" : null,
"beat" : {
"hostname" : "sankar-devops-clinet",
"name" : "sankar-devops-clinet"
},
"host" : "sankar-devops-clinet",
"tags" : [ "beats_input_codec_plain_applied", "_grokparsefailure" ]
}
}, {
"_index" : "filebeat-2018.04.17",
"_type" : "syslog",
"_id" : "AWLVC2qGuLkPPANBmix4",
"_score" : 1.0,
"_source" : {
"message" : "2017/04/25 07:47:23 http: TLS handshake error from 192.168.1.10:50984: EOF",
"@version" : "1",
"@timestamp" : "2018-04-17T19:18:37.361Z",
"offset" : 9537,
"type" : "syslog",
"count" : 1,
"source" : "/var/log/pmm-mongodb-metrics-42003.log",
"input_type" : "log",
"fields" : null,
"beat" : {
"hostname" : "sankar-devops-clinet",
"name" : "sankar-devops-clinet"
},
"host" : "sankar-devops-clinet",
"tags" : [ "beats_input_codec_plain_applied", "_grokparsefailure" ]
}
}, {
"_index" : "filebeat-2018.04.17",
"_type" : "syslog",
"_id" : "AWLVC2qGuLkPPANBmix5",
"_score" : 1.0,
"_source" : {
"message" : "2017/04/25 07:48:17 http: TLS handshake error from 192.168.1.10:54478: EOF",
"@version" : "1",
"@timestamp" : "2018-04-17T19:18:37.361Z",
"source" : "/var/log/pmm-mongodb-metrics-42003.log",
"type" : "syslog",
"input_type" : "log",
"count" : 1,
"fields" : null,
"beat" : {
"hostname" : "sankar-devops-clinet",
"name" : "sankar-devops-clinet"
},
"offset" : 9613,
"host" : "sankar-devops-clinet",
"tags" : [ "beats_input_codec_plain_applied", "_grokparsefailure" ]
}
}, {
"_index" : "filebeat-2018.04.17",
"_type" : "syslog",
"_id" : "AWLVC2qGuLkPPANBmiyR",
"_score" : 1.0,
"_source" : {
"message" : "2017/04/25 11:33:49 http: TLS handshake error from 192.168.1.10:39402: EOF",
"@version" : "1",
"@timestamp" : "2018-04-17T19:18:37.363Z",
"offset" : 11437,
"type" : "syslog",
"fields" : null,
"beat" : {
"hostname" : "sankar-devops-clinet",
"name" : "sankar-devops-clinet"
},
"source" : "/var/log/pmm-mongodb-metrics-42003.log",
"input_type" : "log",
"count" : 1,
"host" : "sankar-devops-clinet",
"tags" : [ "beats_input_codec_plain_applied", "_grokparsefailure" ]
}
}, {
"_index" : "filebeat-2018.04.17",
"_type" : "syslog",
"_id" : "AWLVC2qGuLkPPANBmiyS",
"_score" : 1.0,
"_source" : {
"message" : "2017/04/25 11:35:31 http: TLS handshake error from 192.168.1.10:46244: EOF",
"@version" : "1",
"@timestamp" : "2018-04-17T19:18:37.363Z",
"beat" : {
"hostname" : "sankar-devops-clinet",
"name" : "sankar-devops-clinet"
},
"source" : "/var/log/pmm-mongodb-metrics-42003.log",
"offset" : 11513,
"type" : "syslog",
"fields" : null,
"input_type" : "log",
"count" : 1,
"host" : "sankar-devops-clinet",
"tags" : [ "beats_input_codec_plain_applied", "_grokparsefailure" ]
}
}, {
"_index" : "filebeat-2018.04.17",
"_type" : "syslog",
"_id" : "AWLVC2qGuLkPPANBmiyT",
"_score" : 1.0,
"_source" : {
"message" : "2017/04/25 11:36:08 http: TLS handshake error from 192.168.1.10:48636: EOF",
"@version" : "1",
"@timestamp" : "2018-04-17T19:18:37.363Z",
"beat" : {
"hostname" : "sankar-devops-clinet",
"name" : "sankar-devops-clinet"
},
"offset" : 11589,
"input_type" : "log",
"fields" : null,
"type" : "syslog",
"count" : 1,
"source" : "/var/log/pmm-mongodb-metrics-42003.log",
"host" : "sankar-devops-clinet",
"tags" : [ "beats_input_codec_plain_applied", "_grokparsefailure" ]
}
}, {
"_index" : "filebeat-2018.04.17",
"_type" : "syslog",
"_id" : "AWLVC2qGuLkPPANBmiyb",
"_score" : 1.0,
"_source" : {
"message" : "2017/04/25 13:11:00 http: TLS handshake error from 192.168.1.10:55382: EOF",
"@version" : "1",
"@timestamp" : "2018-04-17T19:18:37.363Z",
"beat" : {
"hostname" : "sankar-devops-clinet",
"name" : "sankar-devops-clinet"
},
"offset" : 12197,
"count" : 1,
"fields" : null,
"source" : "/var/log/pmm-mongodb-metrics-42003.log",
"type" : "syslog",
"input_type" : "log",
"host" : "sankar-devops-clinet",
"tags" : [ "beats_input_codec_plain_applied", "_grokparsefailure" ]
}
}, {
"_index" : "filebeat-2018.04.17",
"_type" : "syslog",
"_id" : "AWLVC2qGuLkPPANBmiyc",
"_score" : 1.0,
"_source" : {
"message" : "2017/04/25 13:19:37 http: TLS handshake error from 192.168.1.10:60790: EOF",
"@version" : "1",
"@timestamp" : "2018-04-17T19:18:37.363Z",
"beat" : {
"hostname" : "sankar-devops-clinet",
"name" : "sankar-devops-clinet"
},
"source" : "/var/log/pmm-mongodb-metrics-42003.log",
"offset" : 12273,
"count" : 1,
"fields" : null,
"type" : "syslog",
"input_type" : "log",
"host" : "sankar-devops-clinet",
"tags" : [ "beats_input_codec_plain_applied", "_grokparsefailure" ]
}
} ]
}
}
Note:
By default, Kibana will display the records that were processed during the last 15 minutes
but you can change that behaviour by selecting another time frame:
how to get elasticsearch version
[root@sankar-devops-master ~]# curl -XGET 'localhost:9200'
{
"name" : "Superia",
"cluster_name" : "elasticsearch",
"cluster_uuid" : "DVTJzhLpQ4mzNEBO3ZzgVg",
"version" : {
"number" : "2.4.6",
"build_hash" : "5376dca9f70f3abef96a77f4bb22720ace8240fd",
"build_timestamp" : "2017-07-18T12:17:44Z",
"build_snapshot" : false,
"lucene_version" : "5.5.4"
},
"tagline" : "You Know, for Search"
}
[root@sankar-devops-master ~]#
-------------
1. Your server runs at least RHEL 6 or RHEL 7.
FYI, RHEL5 is EOL Version.
2. The main dependency for installing the ELK stack is Java.
java
----------
[root@sankar-devops-master sankar_elk]# ls -ltrh
total 181M
drwxr-xr-x 8 uucp 143 4.0K Dec 19 16:24 jdk1.8.0_161
-rw-r--r-- 1 root root 181M Dec 20 11:10 jdk-8u161-linux-x64.tar.gz
Java 8 with Alternatives
[root@sankar-devops-master sankar_elk]# cd jdk1.8.0_161/
[root@sankar-devops-master jdk1.8.0_161]#
[root@sankar-devops-master jdk1.8.0_161]# ls -ltrh
total 26M
-rw-r--r-- 1 uucp 143 63K Dec 19 10:56 THIRDPARTYLICENSEREADME-JAVAFX.txt
-rw-r--r-- 1 uucp 143 5.0M Dec 19 10:56 javafx-src.zip
-r--r--r-- 1 uucp 143 142K Dec 19 16:21 THIRDPARTYLICENSEREADME.txt
-r--r--r-- 1 uucp 143 159 Dec 19 16:21 README.html
-r--r--r-- 1 uucp 143 40 Dec 19 16:21 LICENSE
drwxr-xr-x 3 uucp 143 4.0K Dec 19 16:21 include
drwxr-xr-x 4 uucp 143 4.0K Dec 19 16:21 db
-r--r--r-- 1 uucp 143 3.2K Dec 19 16:21 COPYRIGHT
-rw-r--r-- 1 uucp 143 21M Dec 19 16:21 src.zip
-rw-r--r-- 1 uucp 143 424 Dec 19 16:21 release
drwxr-xr-x 4 uucp 143 4.0K Dec 19 16:21 man
drwxr-xr-x 5 uucp 143 4.0K Dec 19 16:21 jre
drwxr-xr-x 5 uucp 143 4.0K Dec 19 16:21 lib
drwxr-xr-x 2 uucp 143 4.0K Dec 19 16:21 bin
[root@sankar-devops-master jdk1.8.0_161]# alternatives --install /usr/bin/java java /opt/sankar_elk/jdk1.8.0_161/bin/java 2
[root@sankar-devops-master jdk1.8.0_161]# alternatives --config java
There are 3 programs which provide 'java'.
Selection Command
-----------------------------------------------
* 1 /usr/lib/jvm/jre-1.7.0-openjdk.x86_64/bin/java
+ 2 /opt/jdk1.8.0_161/bin/java
3 /opt/sankar_elk/jdk1.8.0_161/bin/java
Enter to keep the current selection[+], or type selection number: 3
[root@sankar-devops-master jdk1.8.0_161]#
[root@sankar-devops-master jdk1.8.0_161]#
[root@sankar-devops-master jdk1.8.0_161]# alternatives --install /usr/bin/jar jar /opt/sankar_elk/jdk1.8.0_161/bin/jar 2
[root@sankar-devops-master jdk1.8.0_161]# alternatives --install /usr/bin/javac javac /opt/sankar_elk/jdk1.8.0_161/bin/javac 2
[root@sankar-devops-master jdk1.8.0_161]# alternatives --set jar /opt/sankar_elk/jdk1.8.0_161/bin/jar
[root@sankar-devops-master jdk1.8.0_161]# alternatives --set javac /opt/sankar_elk/jdk1.8.0_161/bin/javac
[root@sankar-devops-master jdk1.8.0_161]#
Java Version
[root@sankar-devops-master jdk1.8.0_161]# java -version
java version "1.8.0_161"
Java(TM) SE Runtime Environment (build 1.8.0_161-b12)
Java HotSpot(TM) 64-Bit Server VM (build 25.161-b12, mixed mode)
Environment Variables
[root@sankar-devops-master jdk1.8.0_161]# export JAVA_HOME=/opt/sankar_elk/jdk1.8.0_161
[root@sankar-devops-master jdk1.8.0_161]# export JRE_HOME=/opt/sankar_elk/jdk1.8.0_161/jre
[root@sankar-devops-master jdk1.8.0_161]# export PATH=$PATH:/opt/sankar_elk/jdk1.8.0_161/bin:/opt/sankar_elk/jdk1.8.0_161/jre/bin
[root@sankar-devops-master jdk1.8.0_161]#
[root@sankar-devops-master jdk1.8.0_161]#
[root@sankar-devops-master jdk1.8.0_161]#
[root@sankar-devops-master ~]# rpm --import http://packages.elastic.co/GPG-KEY-elasticsearch
[root@sankar-devops-master ~]# echo $?
0
[root@sankar-devops-master ~]# vi /etc/yum.repos.d/elasticsearch.repo
[elasticsearch]
name=Elasticsearch repository
baseurl=http://packages.elastic.co/elasticsearch/2.x/centos
gpgcheck=1
gpgkey=http://packages.elastic.co/GPG-KEY-elasticsearch
enabled=1
~
~
[root@sankar-devops-master ~]# yum install elasticsearch
Loaded plugins: security
Setting up Install Process
elasticsearch | 2.9 kB 00:00
elasticsearch/primary_db | 9.3 kB 00:00
Resolving Dependencies
--> Running transaction check
---> Package elasticsearch.noarch 0:2.4.6-1 will be installed
--> Finished Dependency Resolution
Dependencies Resolved
======================================================================================================================================
Package Arch Version Repository Size
======================================================================================================================================
Installing:
elasticsearch noarch 2.4.6-1 elasticsearch 26 M
Transaction Summary
======================================================================================================================================
Install 1 Package(s)
Total download size: 26 M
Installed size: 29 M
Is this ok [y/N]: y
Downloading Packages:
elasticsearch-2.4.6.rpm | 26 MB 00:13
Running rpm_check_debug
Running Transaction Test
Transaction Test Succeeded
Running Transaction
Creating elasticsearch group... OK
Creating elasticsearch user... OK
Installing : elasticsearch-2.4.6-1.noarch 1/1
### NOT starting on installation, please execute the following statements to configure elasticsearch service to start automatically using chkconfig
sudo chkconfig --add elasticsearch
### You can start elasticsearch service by executing
sudo service elasticsearch start
Verifying : elasticsearch-2.4.6-1.noarch 1/1
Installed:
elasticsearch.noarch 0:2.4.6-1
Complete!
[root@sankar-devops-master ~]# service elasticsearch status
elasticsearch (pid 2197) is running...
[root@sankar-devops-master ~]# netstat -ntlup |grep 9200
tcp 0 0 ::ffff:127.0.0.1:9200 :::* LISTEN 2197/java
tcp 0 0 ::1:9200 :::* LISTEN 2197/java
[root@sankar-devops-master ~]# curl -X GET http://localhost:9200
{
"name" : "Binary",
"cluster_name" : "elasticsearch",
"cluster_uuid" : "DVTJzhLpQ4mzNEBO3ZzgVg",
"version" : {
"number" : "2.4.6",
"build_hash" : "5376dca9f70f3abef96a77f4bb22720ace8240fd",
"build_timestamp" : "2017-07-18T12:17:44Z",
"build_snapshot" : false,
"lucene_version" : "5.5.4"
},
"tagline" : "You Know, for Search"
}
[root@sankar-devops-master ~]#
Enable Logstash Repository
[root@sankar-devops-master ~]# vi /etc/yum.repos.d/logstash.repo
[logstash]
name=Logstash
baseurl=http://packages.elasticsearch.org/logstash/2.2/centos
gpgcheck=1
gpgkey=http://packages.elasticsearch.org/GPG-KEY-elasticsearch
enabled=1
~
[root@sankar-devops-master ~]# yum install logstash
Loaded plugins: security
Setting up Install Process
logstash | 951 B 00:00
logstash/primary | 2.6 kB 00:00
logstash 5/5
Resolving Dependencies
--> Running transaction check
---> Package logstash.noarch 1:2.2.4-1 will be installed
--> Finished Dependency Resolution
Dependencies Resolved
======================================================================================================================================
Package Arch Version Repository Size
======================================================================================================================================
Installing:
logstash noarch 1:2.2.4-1 logstash 73 M
Transaction Summary
======================================================================================================================================
Install 1 Package(s)
Total download size: 73 M
Installed size: 127 M
Is this ok [y/N]: y
Downloading Packages:
logstash-2.2.4-1.noarch.rpm | 73 MB 00:23
Running rpm_check_debug
Running Transaction Test
Transaction Test Succeeded
Running Transaction
Installing : 1:logstash-2.2.4-1.noarch 1/1
Verifying : 1:logstash-2.2.4-1.noarch 1/1
Installed:
logstash.noarch 1:2.2.4-1
Complete!
[root@sankar-devops-master ~]# vi /etc/pki/tls/openssl.cnf
226 [ v3_ca ]
227
228 subjectAltName = IP: 66.161.124.110
[root@sankar-devops-master ~]# cd /etc/pki/tls/
[root@sankar-devops-master tls]# ls -ltrh
total 24K
drwxr-xr-x. 2 root root 4.0K May 2 2016 private
drwxr-xr-x. 2 root root 4.0K May 10 2016 misc
lrwxrwxrwx 1 root root 19 Jun 1 2017 cert.pem -> certs/ca-bundle.crt
drwxr-xr-x. 2 root root 4.0K Jun 1 2017 certs
-rw-r--r-- 1 root root 11K Apr 17 11:15 openssl.cnf
[root@sankar-devops-master tls]#
[root@sankar-devops-master tls]# openssl req -config /etc/pki/tls/openssl.cnf -x509 -days 3650 -batch -nodes -newkey rsa:2048 -keyout private/logstash-forwarder.key -out certs/logstash-forwarder.crt
Generating a 2048 bit RSA private key
........+++
................................................................................+++
writing new private key to 'private/logstash-forwarder.key'
-----
[root@sankar-devops-master tls]#
[root@sankar-devops-master tls]# cd /etc/logstash/conf.d/
[root@sankar-devops-master conf.d]#
[root@sankar-devops-master conf.d]# ls -ltrh
total 0
[root@sankar-devops-master conf.d]# vi input.conf
input {
beats {
port => 5044
ssl => true
ssl_certificate => "/etc/pki/tls/certs/logstash-forwarder.crt"
ssl_key => "/etc/pki/tls/private/logstash-forwarder.key"
}
}
~
[root@sankar-devops-master conf.d]# ls -ld /etc/pki/tls/certs/logstash-forwarder.crt
-rw-r--r-- 1 root root 1241 Apr 17 11:17 /etc/pki/tls/certs/logstash-forwarder.crt
[root@sankar-devops-master conf.d]# ls -dl /etc/pki/tls/private/logstash-forwarder.key
-rw-r--r-- 1 root root 1704 Apr 17 11:17 /etc/pki/tls/private/logstash-forwarder.key
[root@sankar-devops-master conf.d]# vi /etc/logstash/conf.d/output.conf
output {
elasticsearch {
hosts => ["localhost:9200"]
sniffing => true
manage_template => false
index => "%{[@metadata][beat]}-%{+YYYY.MM.dd}"
document_type => "%{[@metadata][type]}"
}
}
[root@sankar-devops-master conf.d]# vi /etc/logstash/conf.d/filter.conf
filter {
if [type] == "syslog" {
grok {
match => { "message" => "%{SYSLOGLINE}" }
}
date {
match => [ "timestamp", "MMM d HH:mm:ss", "MMM dd HH:mm:ss" ]
}
}
}
[root@sankar-devops-master conf.d]# service logstash configtest
Configuration OK
[root@sankar-devops-master conf.d]#
[root@sankar-devops-master conf.d]# service logstash status
logstash is not running
[root@sankar-devops-master conf.d]# service logstash start
logstash started.
[root@sankar-devops-master conf.d]# service logstash status
logstash is running
[root@sankar-devops-master conf.d]#
[root@sankar-devops-master conf.d]# netstat -ntlup|grep 5044
tcp 0 0 :::5044 :::* LISTEN 12621/java
[root@sankar-devops-master conf.d]#
Enable Kibana Repository
[root@sankar-devops-master conf.d]# vi /etc/yum.repos.d/kibana.repo
[kibana]
name=Kibana repository
baseurl=http://packages.elastic.co/kibana/4.4/centos
gpgcheck=1
gpgkey=http://packages.elastic.co/GPG-KEY-elasticsearch
enabled=1
~
~
[root@sankar-devops-master conf.d]# yum install kibana
Loaded plugins: security
Setting up Install Process
kibana | 2.9 kB 00:00
kibana/primary_db | 18 kB 00:00
Resolving Dependencies
--> Running transaction check
---> Package kibana.x86_64 0:4.4.2-1 will be installed
--> Finished Dependency Resolution
Dependencies Resolved
======================================================================================================================================
Package Arch Version Repository Size
======================================================================================================================================
Installing:
kibana x86_64 4.4.2-1 kibana 32 M
Transaction Summary
======================================================================================================================================
Install 1 Package(s)
Total download size: 32 M
Installed size: 32 M
Is this ok [y/N]: y
Downloading Packages:
kibana-4.4.2-1.x86_64.rpm | 32 MB 00:09
Running rpm_check_debug
Running Transaction Test
Transaction Test Succeeded
Running Transaction
Installing : kibana-4.4.2-1.x86_64 1/1
Verifying : kibana-4.4.2-1.x86_64 1/1
Installed:
kibana.x86_64 0:4.4.2-1
Complete!
[root@sankar-devops-master conf.d]#
[root@sankar-devops-master conf.d]# service kibana status
kibana is not running
[root@sankar-devops-master conf.d]# service kibana start
kibana started
[root@sankar-devops-master conf.d]# service kibana status
kibana is running
[root@sankar-devops-master conf.d]
[root@sankar-devops-master conf.d]# netstat -antlup |grep 5601
tcp 0 0 0.0.0.0:5601 0.0.0.0:* LISTEN 13363/node
[root@sankar-devops-master conf.d]#
the clinet end configs
scp ssl cert from server to client
# scp /etc/pki/tls/certs/logstash-forwarder.crt root@192.168.0.100:/etc/pki/tls/certs/
[root@AT-CM-TORBERT skodipilla]# cp logstash-forwarder.crt /etc/pki/tls/certs/
[root@AT-CM-TORBERT skodipilla]# cd /etc/pki/tls/certs
[root@AT-CM-TORBERT certs]# ls -ltrh
total 956K
-rw-r--r-- 1 root root 458K May 15 2012 ca-bundle.crt
-rw-r--r-- 1 root root 2.3K May 15 2012 Makefile
-rwxr-xr-x 1 root root 610 May 15 2012 make-dummy-cert
-rw-r--r-- 1 root root 458K May 15 2012 ca-bundle.crt.rpmnew
-rw-r--r-- 1 root root 1.3K Apr 17 11:47 logstash-forwarder.crt
[root@AT-CM-TORBERT certs]# r
[root@AT-CM-TORBERT certs]# vi /etc/yum.repos.d/filebeat.repo
[filebeat]
name=Filebeat for ELK clients
baseurl=https://packages.elastic.co/beats/yum/el/$basearch
enabled=1
gpgkey=https://packages.elastic.co/GPG-KEY-elasticsearch
gpgcheck=1
~
~
[root@sankar-devops-clinet skodipilla]# yum install filebeat
Loaded plugins: langpacks
filebeat | 2.9 kB 00:00:00
mongodb-org-3.2 | 2.5 kB 00:00:00
ol7_UEKR4 | 1.2 kB 00:00:00
ol7_latest | 1.4 kB 00:00:00
percona-release-noarch | 2.9 kB 00:00:00
percona-release-x86_64 | 2.9 kB 00:00:00
puppetlabs-pc1 | 2.5 kB 00:00:00
(1/3): puppetlabs-pc1/x86_64/primary_db | 146 kB 00:00:03
(2/3): filebeat/x86_64/primary_db | 13 kB 00:00:03
(3/3): percona-release-x86_64/7Server/x86_64/primary_db | 738 kB 00:00:04
(1/4): ol7_UEKR4/x86_64/updateinfo | 172 kB 00:00:03
(2/4): ol7_latest/x86_64/updateinfo | 1.7 MB 00:00:03
(3/4): ol7_UEKR4/x86_64/primary | 32 MB 00:00:05
(4/4): ol7_latest/x86_64/primary | 34 MB 00:00:07
ol7_UEKR4 611/611
ol7_latest 26500/26500
Resolving Dependencies
--> Running transaction check
---> Package filebeat.x86_64 0:1.3.1-1 will be installed
--> Finished Dependency Resolution
Dependencies Resolved
======================================================================================================================================
Package Arch Version Repository Size
======================================================================================================================================
Installing:
filebeat x86_64 1.3.1-1 filebeat 4.0 M
Transaction Summary
======================================================================================================================================
Install 1 Package
Total download size: 4.0 M
Installed size: 4.0 M
Is this ok [y/d/N]: y
Downloading packages:
warning: /var/cache/yum/x86_64/7Server/filebeat/packages/filebeat-1.3.1-x86_64.rpm: Header V4 RSA/SHA1 Signature, key ID d88e42b4: NOKEY
Public key for filebeat-1.3.1-x86_64.rpm is not installed
filebeat-1.3.1-x86_64.rpm | 4.0 MB 00:00:10
Retrieving key from https://packages.elastic.co/GPG-KEY-elasticsearch
Importing GPG key 0xD88E42B4:
Userid : "Elasticsearch (Elasticsearch Signing Key) <dev_ops@elasticsearch.org>"
Fingerprint: 4609 5acc 8548 582c 1a26 99a9 d27d 666c d88e 42b4
From : https://packages.elastic.co/GPG-KEY-elasticsearch
Is this ok [y/N]: y
Running transaction check
Running transaction test
Transaction test succeeded
Running transaction
Installing : filebeat-1.3.1-1.x86_64 1/1
Verifying : filebeat-1.3.1-1.x86_64 1/1
Installed:
filebeat.x86_64 0:1.3.1-1
Complete!
[root@sankar-devops-clinet skodipilla]#
[root@sankar-devops-clinet skodipilla]# systemctl status filebeat
â— filebeat.service - filebeat
Loaded: loaded (/usr/lib/systemd/system/filebeat.service; disabled; vendor preset: disabled)
Active: inactive (dead)
Docs: https://www.elastic.co/guide/en/beats/filebeat/current/index.html
[root@sankar-devops-clinet skodipilla]# systemctl start filebeat
[root@sankar-devops-clinet skodipilla]# systemctl status filebeat
â— filebeat.service - filebeat
Loaded: loaded (/usr/lib/systemd/system/filebeat.service; disabled; vendor preset: disabled)
Active: active (running) since Tue 2018-04-17 12:06:54 PDT; 2s ago
Docs: https://www.elastic.co/guide/en/beats/filebeat/current/index.html
Main PID: 27823 (filebeat)
CGroup: /system.slice/filebeat.service
└─27823 /usr/bin/filebeat -c /etc/filebeat/filebeat.yml
Apr 17 12:06:54 sankar-devops-clinet systemd[1]: Started filebeat.
Apr 17 12:06:54 sankar-devops-clinet systemd[1]: Starting filebeat...
[root@sankar-devops-clinet skodipilla]# /etc/filebeat/filebeat.yml
input_type: log
document_type: syslog
### Logstash as output
logstash:
# The Logstash hosts
hosts: ["66.161.124.110:5044"]
# Optional TLS. By default is off.
tls:
# List of root certificates for HTTPS server verifications
certificate_authorities: ["/etc/pki/tls/certs/logstash-forwarder.crt"]
[root@sankar-devops-clinet filebeat]# systemctl restart filebeat
[root@sankar-devops-clinet filebeat]# systemctl status filebeat
â— filebeat.service - filebeat
Loaded: loaded (/usr/lib/systemd/system/filebeat.service; disabled; vendor preset: disabled)
Active: active (running) since Tue 2018-04-17 12:18:37 PDT; 9s ago
Docs: https://www.elastic.co/guide/en/beats/filebeat/current/index.html
Main PID: 28103 (filebeat)
CGroup: /system.slice/filebeat.service
└─28103 /usr/bin/filebeat -c /etc/filebeat/filebeat.yml
Apr 17 12:18:37 sankar-devops-clinet systemd[1]: Started filebeat.
Apr 17 12:18:37 sankar-devops-clinet systemd[1]: Starting filebeat...
[root@sankar-devops-clinet filebeat]#
[root@sankar-devops-master ~]# curl -XGET 'http://localhost:9200/filebeat-*/_search?pretty'
{
"took" : 7,
"timed_out" : false,
"_shards" : {
"total" : 5,
"successful" : 5,
"failed" : 0
},
"hits" : {
"total" : 2048,
"max_score" : 1.0,
"hits" : [ {
"_index" : "filebeat-2018.04.17",
"_type" : "syslog",
"_id" : "AWLVC2qGuLkPPANBmixs",
"_score" : 1.0,
"_source" : {
"message" : "2017/04/25 05:36:17 http: TLS handshake error from 192.168.1.10:43626: EOF",
"@version" : "1",
"@timestamp" : "2018-04-17T19:18:37.361Z",
"type" : "syslog",
"input_type" : "log",
"fields" : null,
"source" : "/var/log/pmm-mongodb-metrics-42003.log",
"offset" : 8625,
"count" : 1,
"beat" : {
"hostname" : "sankar-devops-clinet",
"name" : "sankar-devops-clinet"
},
"host" : "sankar-devops-clinet",
"tags" : [ "beats_input_codec_plain_applied", "_grokparsefailure" ]
}
}, {
"_index" : "filebeat-2018.04.17",
"_type" : "syslog",
"_id" : "AWLVC2qGuLkPPANBmixu",
"_score" : 1.0,
"_source" : {
"message" : "2017/04/25 05:42:33 http: TLS handshake error from 192.168.1.10:39822: EOF",
"@version" : "1",
"@timestamp" : "2018-04-17T19:18:37.361Z",
"type" : "syslog",
"input_type" : "log",
"fields" : null,
"beat" : {
"hostname" : "sankar-devops-clinet",
"name" : "sankar-devops-clinet"
},
"source" : "/var/log/pmm-mongodb-metrics-42003.log",
"offset" : 8777,
"count" : 1,
"host" : "sankar-devops-clinet",
"tags" : [ "beats_input_codec_plain_applied", "_grokparsefailure" ]
}
}, {
"_index" : "filebeat-2018.04.17",
"_type" : "syslog",
"_id" : "AWLVC2qGuLkPPANBmix1",
"_score" : 1.0,
"_source" : {
"message" : "2017/04/25 07:07:37 http: TLS handshake error from 192.168.1.10:35232: EOF",
"@version" : "1",
"@timestamp" : "2018-04-17T19:18:37.361Z",
"type" : "syslog",
"input_type" : "log",
"count" : 1,
"offset" : 9309,
"source" : "/var/log/pmm-mongodb-metrics-42003.log",
"fields" : null,
"beat" : {
"hostname" : "sankar-devops-clinet",
"name" : "sankar-devops-clinet"
},
"host" : "sankar-devops-clinet",
"tags" : [ "beats_input_codec_plain_applied", "_grokparsefailure" ]
}
}, {
"_index" : "filebeat-2018.04.17",
"_type" : "syslog",
"_id" : "AWLVC2qGuLkPPANBmix4",
"_score" : 1.0,
"_source" : {
"message" : "2017/04/25 07:47:23 http: TLS handshake error from 192.168.1.10:50984: EOF",
"@version" : "1",
"@timestamp" : "2018-04-17T19:18:37.361Z",
"offset" : 9537,
"type" : "syslog",
"count" : 1,
"source" : "/var/log/pmm-mongodb-metrics-42003.log",
"input_type" : "log",
"fields" : null,
"beat" : {
"hostname" : "sankar-devops-clinet",
"name" : "sankar-devops-clinet"
},
"host" : "sankar-devops-clinet",
"tags" : [ "beats_input_codec_plain_applied", "_grokparsefailure" ]
}
}, {
"_index" : "filebeat-2018.04.17",
"_type" : "syslog",
"_id" : "AWLVC2qGuLkPPANBmix5",
"_score" : 1.0,
"_source" : {
"message" : "2017/04/25 07:48:17 http: TLS handshake error from 192.168.1.10:54478: EOF",
"@version" : "1",
"@timestamp" : "2018-04-17T19:18:37.361Z",
"source" : "/var/log/pmm-mongodb-metrics-42003.log",
"type" : "syslog",
"input_type" : "log",
"count" : 1,
"fields" : null,
"beat" : {
"hostname" : "sankar-devops-clinet",
"name" : "sankar-devops-clinet"
},
"offset" : 9613,
"host" : "sankar-devops-clinet",
"tags" : [ "beats_input_codec_plain_applied", "_grokparsefailure" ]
}
}, {
"_index" : "filebeat-2018.04.17",
"_type" : "syslog",
"_id" : "AWLVC2qGuLkPPANBmiyR",
"_score" : 1.0,
"_source" : {
"message" : "2017/04/25 11:33:49 http: TLS handshake error from 192.168.1.10:39402: EOF",
"@version" : "1",
"@timestamp" : "2018-04-17T19:18:37.363Z",
"offset" : 11437,
"type" : "syslog",
"fields" : null,
"beat" : {
"hostname" : "sankar-devops-clinet",
"name" : "sankar-devops-clinet"
},
"source" : "/var/log/pmm-mongodb-metrics-42003.log",
"input_type" : "log",
"count" : 1,
"host" : "sankar-devops-clinet",
"tags" : [ "beats_input_codec_plain_applied", "_grokparsefailure" ]
}
}, {
"_index" : "filebeat-2018.04.17",
"_type" : "syslog",
"_id" : "AWLVC2qGuLkPPANBmiyS",
"_score" : 1.0,
"_source" : {
"message" : "2017/04/25 11:35:31 http: TLS handshake error from 192.168.1.10:46244: EOF",
"@version" : "1",
"@timestamp" : "2018-04-17T19:18:37.363Z",
"beat" : {
"hostname" : "sankar-devops-clinet",
"name" : "sankar-devops-clinet"
},
"source" : "/var/log/pmm-mongodb-metrics-42003.log",
"offset" : 11513,
"type" : "syslog",
"fields" : null,
"input_type" : "log",
"count" : 1,
"host" : "sankar-devops-clinet",
"tags" : [ "beats_input_codec_plain_applied", "_grokparsefailure" ]
}
}, {
"_index" : "filebeat-2018.04.17",
"_type" : "syslog",
"_id" : "AWLVC2qGuLkPPANBmiyT",
"_score" : 1.0,
"_source" : {
"message" : "2017/04/25 11:36:08 http: TLS handshake error from 192.168.1.10:48636: EOF",
"@version" : "1",
"@timestamp" : "2018-04-17T19:18:37.363Z",
"beat" : {
"hostname" : "sankar-devops-clinet",
"name" : "sankar-devops-clinet"
},
"offset" : 11589,
"input_type" : "log",
"fields" : null,
"type" : "syslog",
"count" : 1,
"source" : "/var/log/pmm-mongodb-metrics-42003.log",
"host" : "sankar-devops-clinet",
"tags" : [ "beats_input_codec_plain_applied", "_grokparsefailure" ]
}
}, {
"_index" : "filebeat-2018.04.17",
"_type" : "syslog",
"_id" : "AWLVC2qGuLkPPANBmiyb",
"_score" : 1.0,
"_source" : {
"message" : "2017/04/25 13:11:00 http: TLS handshake error from 192.168.1.10:55382: EOF",
"@version" : "1",
"@timestamp" : "2018-04-17T19:18:37.363Z",
"beat" : {
"hostname" : "sankar-devops-clinet",
"name" : "sankar-devops-clinet"
},
"offset" : 12197,
"count" : 1,
"fields" : null,
"source" : "/var/log/pmm-mongodb-metrics-42003.log",
"type" : "syslog",
"input_type" : "log",
"host" : "sankar-devops-clinet",
"tags" : [ "beats_input_codec_plain_applied", "_grokparsefailure" ]
}
}, {
"_index" : "filebeat-2018.04.17",
"_type" : "syslog",
"_id" : "AWLVC2qGuLkPPANBmiyc",
"_score" : 1.0,
"_source" : {
"message" : "2017/04/25 13:19:37 http: TLS handshake error from 192.168.1.10:60790: EOF",
"@version" : "1",
"@timestamp" : "2018-04-17T19:18:37.363Z",
"beat" : {
"hostname" : "sankar-devops-clinet",
"name" : "sankar-devops-clinet"
},
"source" : "/var/log/pmm-mongodb-metrics-42003.log",
"offset" : 12273,
"count" : 1,
"fields" : null,
"type" : "syslog",
"input_type" : "log",
"host" : "sankar-devops-clinet",
"tags" : [ "beats_input_codec_plain_applied", "_grokparsefailure" ]
}
} ]
}
}
Note:
By default, Kibana will display the records that were processed during the last 15 minutes
but you can change that behaviour by selecting another time frame:
how to get elasticsearch version
[root@sankar-devops-master ~]# curl -XGET 'localhost:9200'
{
"name" : "Superia",
"cluster_name" : "elasticsearch",
"cluster_uuid" : "DVTJzhLpQ4mzNEBO3ZzgVg",
"version" : {
"number" : "2.4.6",
"build_hash" : "5376dca9f70f3abef96a77f4bb22720ace8240fd",
"build_timestamp" : "2017-07-18T12:17:44Z",
"build_snapshot" : false,
"lucene_version" : "5.5.4"
},
"tagline" : "You Know, for Search"
}
[root@sankar-devops-master ~]#
Thank you for sharing this Information.
ReplyDeleteI also found Various useful links related to Devops, Docker & Kubernetes
Kubernetes Kubectl Commands CheatSheet
Introduction to Kubernetes Networking
Basic Concept of Kubernetes
Kubernetes Sheetsheat
Docker Basic Tutorial
Linux Sar Command Tutorial
Linux Interview Questions and Answers
Kubernetes Interview Question and Answers
Docker Interview Question and Answers
OpenStack Interview Questions and Answers